2 Million Hacked Passwords Help Expose Our Vulnerability To Keyloggers

by Neal O'Farrell on December 11th, 2013

As security experts and the media dissected the recently-uncovered stash of more than 2 million hacked passwords on a hacker’s server in the Netherlands, from users of Facebook, Google, LinkedIn and Twitter, did the real story slip by?

One thing was certainly clear from examining the stolen passwords – how many people are still using awful, and awfully weak passwords. Researchers from security firm Trustwave discovered the kidnapped passwords on a hacker server in the Netherlands, and a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we’re not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there’s a good chance that your antivirus software won’t catch it.

In the same week the 2 million hacked passwords story broke, security firm OPSWAT released the results of somevery interesting tests. When they tested 44 of the most popular antivirus products to see if they could detect a keylogger, only one was successful. A study by the University of Alabama found that those same products only catch around 25% of email-borne malware. And tests by Imperva put the success rate of AV products at detecting new malware at just 5%.

Keyloggers are typically after logins and passwords, often to commit identity theft and fraud or take over bank accounts. But they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There are also hardware keyloggers, designed to look like a plug or connector you’d expect to find at the back of a computer or even a cash register. One such keylogger was recently found plugged into a cash register at a Nordstrom store.

More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard. More than 25 years ago, a couple of former spooks showed me how they could capture a user’s ATM PIN, from a van parked across the street, simply be capturing and decoding the electromagnetic signals generated by every keystroke. They could even capture keystrokes from computers in nearby offices, but the technology wasn’t sophisticated enough to focus in on any specific computer. 25 years later, that’s probably not so difficult.

And using a touch screen won’t help you avoid keyloggers. It’s still a keyboard sending signals that can be intercepted, and good keyloggers will record your screen activity anyway. And if you use public computers, like at a library, you could be especially vulnerable. Library computers are a very popular watering hold for keyloggers for years. They generally have many different users, public access, poor security, and little supervision.

The damage is real and not theoretical. Javelin Strategy and Research esimates that nearly $5 billion was siphoned from U.S. bank accounts in 2012 by crooks using malware, and probably most involved some type of keylogger.

So what can you do defend against this menace?

·Use anti-keylogger software, like Key Scrambler (free) or Guarded ID ($29.99 for two). They won’t protect you against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.

·Use a safe surfing tool or plugin, like McAfee Site Advisor or Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. Security firm SiteLock says it’s finding more than 5,000 small business web sites every single day already compromised with malware. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.

·Always have good antivirus software on every computer and device you use. Some of the best is free, including for your smartphone and tablet. And scan often – at least once a week is recommended.

·Change your passwords often and think about passphrases instead. Passphrases are explained below and are a much safer and easier alternative to passwords.

·Be careful what you download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.

·Be careful what you type and where. Might sound simple, but as any good spy will tell you, the best way to minimize your exposure to a telephone tap is to avoid saying anything important on a phone. Avoiding accessing your bank account from a public area, like a coffee shop, is a simple way to avoid the threat of a nearby sniffer.

Forget passwords – think passphrases

A passphrase is a short sentence that’s easy for you to remember – that describes something about you and your life, for example – but that a hacker would have a very hard time knowing or guessing.

For example, the phrase could be something like “I graduated from Notre Dame University on June 1st 2002.”Pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers.

That would give you the following password: “IgfNDUoJ1st2002” That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack.

Unless the hacker knows you personally, it would be nearly impossible to guess or crack such a passphrase. Even if the hacker did know you, they would have little way of knowing the phrase you chose.

And if you have trouble remembering the phrase, you can still write it down and keep it somewhere in your home, because there’s very little risk a hacker would find it in your home and recognize the phrase as a password. You can use similar or themed phrases to protect other accounts, but instead refer to when you graduated high school instead of college, or when your kids graduated, and so on.